From d9ee6c7ea0b7b0017c285c1f8055023314d0edaa Mon Sep 17 00:00:00 2001 From: ghen Date: Sat, 8 Sep 2007 09:54:45 +0000 Subject: Pullup ticket 2184 - requested by tron security update for apache2 - pkgsrc/devel/apr0/Makefile 1.3 - pkgsrc/devel/apr0/distinfo 1.2 - pkgsrc/www/apache2/Makefile 1.118 - pkgsrc/www/apache2/Makefile.commom 1.22 - pkgsrc/www/apache2/PLIST 1.35 - pkgsrc/www/apache2/distinfo 1.51 - pkgsrc/www/apache2/patches/patch-ap removed - pkgsrc/www/apache2/patches/patch-aq removed Module Name: pkgsrc Committed By: tron Date: Fri Sep 7 23:11:41 UTC 2007 Modified Files: pkgsrc/devel/apr0: Makefile distinfo pkgsrc/www/apache2: Makefile Makefile.common PLIST distinfo Log Message: Update "apr" package to version 0.9.16.2.0.61 and "apache2" package to version 2.0.61. This update is a bug and security fix release. The following security problem hasn't been fixed in "pkgsrc" before: - CVE-2007-3847: mod_proxy: Prevent reading past the end of a buffer when parsing date-related headers. --- Module Name: pkgsrc Committed By: tron Date: Fri Sep 7 23:28:23 UTC 2007 Removed Files: pkgsrc/www/apache2/patches: patch-ap patch-aq Log Message: Remove obsolete patch files. --- devel/apr0/Makefile | 3 +- devel/apr0/distinfo | 8 ++-- www/apache2/Makefile | 3 +- www/apache2/Makefile.common | 8 ++-- www/apache2/PLIST | 5 ++- www/apache2/distinfo | 10 ++--- www/apache2/patches/patch-ap | 44 ---------------------- www/apache2/patches/patch-aq | 87 -------------------------------------------- 8 files changed, 17 insertions(+), 151 deletions(-) delete mode 100644 www/apache2/patches/patch-ap delete mode 100644 www/apache2/patches/patch-aq diff --git a/devel/apr0/Makefile b/devel/apr0/Makefile index 6a5efb81906..b147d04a596 100644 --- a/devel/apr0/Makefile +++ b/devel/apr0/Makefile @@ -1,9 +1,8 @@ -# $NetBSD: Makefile,v 1.2 2007/02/11 16:05:51 tv Exp $ +# $NetBSD: Makefile,v 1.2.4.1 2007/09/08 09:54:45 ghen Exp $ .include "../../www/apache2/Makefile.common" PKGNAME= apr-${APR_VERSION}.${APACHE_VERSION} -PKGREVISION= 3 CATEGORIES= devel HOMEPAGE= http://apr.apache.org/ diff --git a/devel/apr0/distinfo b/devel/apr0/distinfo index 5f38a206808..d06ebd0bf13 100644 --- a/devel/apr0/distinfo +++ b/devel/apr0/distinfo @@ -1,8 +1,8 @@ -$NetBSD: distinfo,v 1.1.1.1 2007/01/24 19:31:24 epg Exp $ +$NetBSD: distinfo,v 1.1.1.1.4.1 2007/09/08 09:54:45 ghen Exp $ -SHA1 (httpd-2.0.59.tar.bz2) = 908209cd6e52f700d2a841a25de36e44d469c376 -RMD160 (httpd-2.0.59.tar.bz2) = 78b802354e338798a6978ece8b3568be97542174 -Size (httpd-2.0.59.tar.bz2) = 4743549 bytes +SHA1 (httpd-2.0.61.tar.bz2) = 665017829022d287ffe3cec749e2b5b61252d7b4 +RMD160 (httpd-2.0.61.tar.bz2) = a2c2c90976a967112a9129b9716d880d71261882 +Size (httpd-2.0.61.tar.bz2) = 4580339 bytes SHA1 (patch-aa) = c84bdb6bcb14bf6bc7ea0d8f13334dd8c3ef2ef9 SHA1 (patch-an) = 76d9ac0cdddec7c0f41535baee63bf0aa26ed596 SHA1 (patch-ao) = e35630af53a78fce9aa5347a81cb1bcf8fb3058e diff --git a/www/apache2/Makefile b/www/apache2/Makefile index 68114f91909..6a106902bd2 100644 --- a/www/apache2/Makefile +++ b/www/apache2/Makefile @@ -1,9 +1,8 @@ -# $NetBSD: Makefile,v 1.114 2007/06/28 01:49:04 lkundrak Exp $ +# $NetBSD: Makefile,v 1.114.2.1 2007/09/08 09:54:45 ghen Exp $ .include "Makefile.common" PKGNAME= apache-${APACHE_VERSION} -PKGREVISION= 6 CATEGORIES= www HOMEPAGE= http://httpd.apache.org/ diff --git a/www/apache2/Makefile.common b/www/apache2/Makefile.common index 276709391f7..0e4c3c94130 100644 --- a/www/apache2/Makefile.common +++ b/www/apache2/Makefile.common @@ -1,12 +1,12 @@ -# $NetBSD: Makefile.common,v 1.21 2006/07/28 10:38:36 tron Exp $ +# $NetBSD: Makefile.common,v 1.21.8.1 2007/09/08 09:54:45 ghen Exp $ DISTNAME= httpd-${APACHE_VERSION} EXTRACT_SUFX= .tar.bz2 # When updating this version be sure to update the checksum and remove # any PKGREVISION for devel/apr also. -APACHE_VERSION= 2.0.59 -APR_VERSION= 0.9.12 +APACHE_VERSION= 2.0.61 +APR_VERSION= 0.9.16 MASTER_SITES= ${MASTER_SITE_APACHE:=httpd/} \ ${MASTER_SITE_APACHE:=httpd/old/} \ http://www.NetBSD.org/images/logos/ -MAINTAINER= tron@NetBSD.org +MAINTAINER= pkgsrc-users@NetBSD.org diff --git a/www/apache2/PLIST b/www/apache2/PLIST index 32664e21255..f6acb2e04c0 100644 --- a/www/apache2/PLIST +++ b/www/apache2/PLIST @@ -1,4 +1,4 @@ -@comment $NetBSD: PLIST,v 1.34 2006/07/28 13:35:37 tron Exp $ +@comment $NetBSD: PLIST,v 1.34.8.1 2007/09/08 09:54:46 ghen Exp $ include/httpd/ap_compat.h include/httpd/ap_config.h include/httpd/ap_config_auto.h @@ -154,6 +154,7 @@ share/httpd/htdocs/index.html.var share/httpd/htdocs/index.html.zh-cn.gb2312 share/httpd/htdocs/index.html.zh-tw.big5 share/httpd/icons/README +share/httpd/icons/README.html share/httpd/icons/a.gif share/httpd/icons/a.png share/httpd/icons/alert.black.gif @@ -281,7 +282,6 @@ share/httpd/icons/screw2.gif share/httpd/icons/screw2.png share/httpd/icons/script.gif share/httpd/icons/script.png -share/httpd/icons/small/README.txt share/httpd/icons/small/back.gif share/httpd/icons/small/back.png share/httpd/icons/small/binary.gif @@ -721,6 +721,7 @@ share/httpd/manual/mod/mod_logio.html.ja.euc-jp share/httpd/manual/mod/mod_logio.html.ko.euc-kr share/httpd/manual/mod/mod_mem_cache.html share/httpd/manual/mod/mod_mem_cache.html.en +share/httpd/manual/mod/mod_mem_cache.html.ja.euc-jp share/httpd/manual/mod/mod_mem_cache.html.ko.euc-kr share/httpd/manual/mod/mod_mime.html share/httpd/manual/mod/mod_mime.html.en diff --git a/www/apache2/distinfo b/www/apache2/distinfo index db7f2a34ac8..8ccc17d88d8 100644 --- a/www/apache2/distinfo +++ b/www/apache2/distinfo @@ -1,8 +1,8 @@ -$NetBSD: distinfo,v 1.50 2007/06/28 01:49:04 lkundrak Exp $ +$NetBSD: distinfo,v 1.50.2.1 2007/09/08 09:54:46 ghen Exp $ -SHA1 (httpd-2.0.59.tar.bz2) = 908209cd6e52f700d2a841a25de36e44d469c376 -RMD160 (httpd-2.0.59.tar.bz2) = 78b802354e338798a6978ece8b3568be97542174 -Size (httpd-2.0.59.tar.bz2) = 4743549 bytes +SHA1 (httpd-2.0.61.tar.bz2) = 665017829022d287ffe3cec749e2b5b61252d7b4 +RMD160 (httpd-2.0.61.tar.bz2) = a2c2c90976a967112a9129b9716d880d71261882 +Size (httpd-2.0.61.tar.bz2) = 4580339 bytes SHA1 (patch-aa) = bff1ef591f5361e7169ff9005dcf86437b9dac23 SHA1 (patch-ab) = 387892276efd49fd081a187c1123de26fb6486ba SHA1 (patch-ac) = 515043b5c215d49fe8f6d3191b502c978e2a2dad @@ -13,5 +13,3 @@ SHA1 (patch-ak) = f11a86b1235d5c595fa381bbb474db4fe8448215 SHA1 (patch-al) = 9af7b6c56177d971e135f0a00b3ab9ded5d1b6dd SHA1 (patch-am) = ab4a2f7e5a1a3064e908b61157e7fd349c0b0c08 SHA1 (patch-ao) = c629a7563d0e555922526e26b266251144a14ff6 -SHA1 (patch-ap) = 3f9dbd6dbbadb54f5255dfdb15decc6cc7e8eccc -SHA1 (patch-aq) = d1e0243b28c9e224746fa5cac1321f55c5c0927e diff --git a/www/apache2/patches/patch-ap b/www/apache2/patches/patch-ap deleted file mode 100644 index 7d42ccc770c..00000000000 --- a/www/apache2/patches/patch-ap +++ /dev/null @@ -1,44 +0,0 @@ -$NetBSD: patch-ap,v 1.3 2007/06/28 01:49:04 lkundrak Exp $ - -Fix for CVE-2006-5752 XSS in mod_status with ExtendedStatus on. - ---- modules/generators/mod_status.c.orig 2006-07-12 09:40:55.000000000 +0200 -+++ modules/generators/mod_status.c -@@ -269,7 +269,7 @@ static int status_handler(request_rec *r - if (r->method_number != M_GET) - return DECLINED; - -- ap_set_content_type(r, "text/html"); -+ ap_set_content_type(r, "text/html; charset=ISO-8859-1"); - - /* - * Simple table-driven form data set parser that lets you alter the header -@@ -298,7 +298,7 @@ static int status_handler(request_rec *r - no_table_report = 1; - break; - case STAT_OPT_AUTO: -- ap_set_content_type(r, "text/plain"); -+ ap_set_content_type(r, "text/plain; charset=ISO-8859-1"); - short_report = 1; - break; - } -@@ -664,7 +664,8 @@ static int status_handler(request_rec *r - ap_escape_html(r->pool, - ws_record->client), - ap_escape_html(r->pool, -- ws_record->request), -+ ap_escape_logitem(r->pool, -+ ws_record->request)), - ap_escape_html(r->pool, - ws_record->vhost)); - } -@@ -753,7 +754,8 @@ static int status_handler(request_rec *r - ap_escape_html(r->pool, - ws_record->vhost), - ap_escape_html(r->pool, -- ws_record->request)); -+ ap_escape_logitem(r->pool, -+ ws_record->request))); - } /* no_table_report */ - } /* for (j...) */ - } /* for (i...) */ diff --git a/www/apache2/patches/patch-aq b/www/apache2/patches/patch-aq deleted file mode 100644 index 243e6873394..00000000000 --- a/www/apache2/patches/patch-aq +++ /dev/null @@ -1,87 +0,0 @@ -$NetBSD: patch-aq,v 1.3 2007/06/28 01:49:04 lkundrak Exp $ - -Fix for CVE-2007-1863 remote crash when mod_cache enabled. - ---- modules/experimental/cache_util.c.orig 2006-07-12 09:40:55.000000000 +0200 -+++ modules/experimental/cache_util.c -@@ -186,10 +186,12 @@ CACHE_DECLARE(int) ap_cache_check_freshn - age = ap_cache_current_age(info, age_c, r->request_time); - - /* extract s-maxage */ -- if (cc_cresp && ap_cache_liststr(r->pool, cc_cresp, "s-maxage", &val)) { -+ if (cc_cresp && ap_cache_liststr(r->pool, cc_cresp, "s-maxage", &val) -+ && val != NULL) { - smaxage = apr_atoi64(val); - } -- else if (cc_ceresp && ap_cache_liststr(r->pool, cc_ceresp, "s-maxage", &val)) { -+ else if (cc_ceresp && ap_cache_liststr(r->pool, cc_ceresp, "s-maxage", &val) -+ && val != NULL) { - smaxage = apr_atoi64(val); - } - else { -@@ -197,7 +199,8 @@ CACHE_DECLARE(int) ap_cache_check_freshn - } - - /* extract max-age from request */ -- if (cc_req && ap_cache_liststr(r->pool, cc_req, "max-age", &val)) { -+ if (cc_req && ap_cache_liststr(r->pool, cc_req, "max-age", &val) -+ && val != NULL) { - maxage_req = apr_atoi64(val); - } - else { -@@ -205,10 +208,12 @@ CACHE_DECLARE(int) ap_cache_check_freshn - } - - /* extract max-age from response */ -- if (cc_cresp && ap_cache_liststr(r->pool, cc_cresp, "max-age", &val)) { -+ if (cc_cresp && ap_cache_liststr(r->pool, cc_cresp, "max-age", &val) -+ && val != NULL) { - maxage_cresp = apr_atoi64(val); - } -- else if (cc_ceresp && ap_cache_liststr(r->pool, cc_ceresp, "max-age", &val)) { -+ else if (cc_ceresp && ap_cache_liststr(r->pool, cc_ceresp, "max-age", &val) -+ && val != NULL) { - maxage_cresp = apr_atoi64(val); - } - else -@@ -231,14 +236,28 @@ CACHE_DECLARE(int) ap_cache_check_freshn - - /* extract max-stale */ - if (cc_req && ap_cache_liststr(r->pool, cc_req, "max-stale", &val)) { -- maxstale = apr_atoi64(val); -+ if(val != NULL) { -+ maxstale = apr_atoi64(val); -+ } -+ else { -+ /* -+ * If no value is assigned to max-stale, then the client is willing -+ * to accept a stale response of any age (RFC2616 14.9.3). We will -+ * set it to one year in this case as this situation is somewhat -+ * similar to a "never expires" Expires header (RFC2616 14.21) -+ * which is set to a date one year from the time the response is -+ * sent in this case. -+ */ -+ maxstale = APR_INT64_C(86400*365); -+ } - } - else { - maxstale = 0; - } - - /* extract min-fresh */ -- if (cc_req && ap_cache_liststr(r->pool, cc_req, "min-fresh", &val)) { -+ if (cc_req && ap_cache_liststr(r->pool, cc_req, "min-fresh", &val) -+ && val != NULL) { - minfresh = apr_atoi64(val); - } - else { -@@ -384,6 +403,9 @@ CACHE_DECLARE(int) ap_cache_liststr(apr_ - next - val_start); - } - } -+ else { -+ *val = NULL; -+ } - } - return 1; - } -- cgit v1.2.3